Techniques for detecting cybersecurity vulnerabilities in a cloud based computing environment based on forensic analysis of cloud logs

ABSTRACT

A system and method detects an exploited vulnerable cloud entity. The method includes: detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extracting from the cloud log an identifier of the cloud entity; traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiating a mitigation action for the workload based on the cybersecurity vulnerability.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.63/267,365 filed on Jan. 31, 2022, the contents of which are herebyincorporated by reference.

TECHNICAL FIELD

The present disclosure relates generally to cloud computing, and morespecifically to performing forensic analysis in a cloud computingenvironment.

BACKGROUND

Cloud computing technologies have allowed to abstract away hardwareconsiderations in a technology stack. For example, computingenvironments such as Amazon® Web Services (AWS), or Google CloudPlatform (GCP) allow a user to implement a wide variety of software andprovide the relevant hardware, with the user only paying for what theyneed. This shared provisioning has allowed resources to be betterutilized, both for the owners of the resources, and for those who wishto execute software applications and services which require thoseresources.

This technology however does not come without its disadvantages. As thecomputing environment is now physically outside of an organization, andexposed in terms of access to and from the computing environment,vulnerabilities may be more likely to occur.

While many solutions exist which attempt to block cyberattacks, thereality is that at least some of these attacks will inevitably besuccessful. An attack may be, for example, unauthorized access tosensitive information, such as information stored in a database. Attackscan be categorized based on severity, for example an attack that merelyallows the attacker to see that a file exists on a workload is probablyless severe than an attack which allows the attacker to view, ordownload, that same file.

Digital forensics, or cybersecurity forensics, is a field of art whichincludes actions that attempt to identify what an attacker was able toaccomplish in a computing environment which was attacked. Typically, anindividual who has knowledge of the computing environment will manuallyexamine workloads to attempt to discover the extent of damage performedby an attacker, if at all such damage exists. This process requiresspecialized knowledge which is not easily transferable, and is laborintensive in terms of human hours.

It would therefore be advantageous to provide a solution that wouldovercome the challenges noted above.

SUMMARY

A summary of several example embodiments of the disclosure follows. Thissummary is provided for the convenience of the reader to provide a basicunderstanding of such embodiments and does not wholly define the breadthof the disclosure. This summary is not an extensive overview of allcontemplated embodiments, and is intended to neither identify key orcritical elements of all embodiments nor to delineate the scope of anyor all aspects. Its sole purpose is to present some concepts of one ormore embodiments in a simplified form as a prelude to the more detaileddescription that is presented later. For convenience, the term “someembodiments” or “certain embodiments” may be used herein to refer to asingle embodiment or multiple embodiments of the disclosure.

Certain embodiments disclosed herein include a method for detecting anexploited vulnerable cloud entity. The method comprises: detecting in atleast one cloud log of a cloud computing environment a plurality ofevents, each event corresponding to a failed action, each event furthercorresponding to a cloud entity deployed in the cloud computingenvironment; extracting from the cloud log an identifier of the cloudentity; traversing a security graph to detect a node representing thecloud entity, based on the extracted identifier, wherein the securitygraph includes a representation of the cloud computing environment;detecting a node representing a cybersecurity vulnerability connected tothe node representing the cloud entity; and initiating a mitigationaction for the workload based on the cybersecurity vulnerability.

Certain embodiments disclosed herein also include a non-transitorycomputer readable medium having stored thereon causing a processingcircuitry to execute a process, the process comprising: detecting in atleast one cloud log of a cloud computing environment a plurality ofevents, each event corresponding to a failed action, each event furthercorresponding to a cloud entity deployed in the cloud computingenvironment; extracting from the cloud log an identifier of the cloudentity; traversing a security graph to detect a node representing thecloud entity, based on the extracted identifier, wherein the securitygraph includes a representation of the cloud computing environment;detecting a node representing a cybersecurity vulnerability connected tothe node representing the cloud entity; and initiating a mitigationaction for the workload based on the cybersecurity vulnerability.

Certain embodiments disclosed herein also include a system for detectingan exploited vulnerable cloud entity. The system comprises: a processingcircuitry; and a memory, the memory containing instructions that, whenexecuted by the processing circuitry, configure the system to: detect inat least one cloud log of a cloud computing environment a plurality ofevents, each event corresponding to a failed action, each event furthercorresponding to a cloud entity deployed in the cloud computingenvironment; extract from the cloud log an identifier of the cloudentity; traverse a security graph to detect a node representing thecloud entity, based on the extracted identifier, wherein the securitygraph includes a representation of the cloud computing environment;detect a node representing a cybersecurity vulnerability connected tothe node representing the cloud entity; and initiate a mitigation actionfor the workload based on the cybersecurity vulnerability.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter disclosed herein is particularly pointed out anddistinctly claimed in the claims at the conclusion of the specification.The foregoing and other objects, features, and advantages of thedisclosed embodiments will be apparent from the following detaileddescription taken in conjunction with the accompanying drawings.

FIG. 1 is a network diagram utilized to describe the various disclosedembodiments.

FIG. 2 is a network log of a cloud based computing environment, inaccordance with an embodiment.

FIG. 3 is a role log of a cloud based computing environment, inaccordance with an embodiment.

FIG. 4 is another role log of a cloud based computing environment, inaccordance with an embodiment.

FIG. 5 is security graph, implemented in accordance with an embodiment.

FIG. 6 is a flowchart of a method for generating a forensic analysisreport based on a security graph, implemented in accordance with anembodiment.

FIG. 7 is a schematic diagram of a forensic analyzer according to anembodiment.

FIG. 8 is a flowchart of a method for detecting an exploited vulnerablecloud entity, implemented in accordance with an embodiment/

DETAILED DESCRIPTION

It is important to note that the embodiments disclosed herein are onlyexamples of the many advantageous uses of the innovative teachingsherein. In general, statements made in the specification of the presentapplication do not necessarily limit any of the various claimedembodiments. Moreover, some statements may apply to some inventivefeatures but not to others. In general, unless otherwise indicated,singular elements may be in plural and vice versa with no loss ofgenerality. In the drawings, like numerals refer to like parts throughseveral views.

The various disclosed embodiments include a method and system fordetecting an exploited cloud entity in a cloud computing environmentbased on utilizing a cloud log and a security graph. In certainembodiments, a cloud entity, such as a principal, resource, and thelike, is exploitable, for example by exploiting a vulnerability,misconfiguration, and the like. It is advantageous to detect in aslittle time as possible, when an exploitable cloud entity becomes anexploited cloud entity. Exploiting a cloud entity, e.g., encrypting adatabase with ransomware, deploying cryptominers, and the like, utilizecloud resources over time, and take time to accomplish. Therefore, thefaster such exploits are detected, the less time an attacker has tosuccessfully deploy their attack. Further, reducing the time an attackhappens also reduces the impact of the attack on the target system.

In an embodiment, a cloud log is searched to detect failed action. Insome embodiments, a plurality of failed actions are detected as a seriesof events.

A failed action includes a record extracted from the cloud log,according to an embodiment. A record includes data describing a failedaction, such as communication attempt between a workload in the cloudcomputing environment and a public network, an attempt to changepermissions of a user account, initiation of a privilege escalation, andthe like. For example, communication between a workload and a publicnetwork includes, in an embodiment, a source identifier, a destinationidentifier, a number of packets transmitted, and the like.

In an embodiment, the system is configured to extract from a record of afailed action an identifier of a cloud entity, such as a resource (e.g.,workload), principal (e.g., user account), and the like. A query isgenerated for a security graph based on the identifier, to detect in thesecurity graph a node representing the cloud entity. In an embodimentthe security graph includes a representation of the cloud computingenvironment. The security graph is traversed to detect additional nodesconnected to a node representing the cloud entity. For example, the noderepresenting the cloud entity is connected, in an embodiment, to a noderepresenting a cybersecurity issue, a node representing a secret, andthe like. A node representing a cloud entity is connected to a noderepresenting a cybersecurity issue to indicate that the cloud entityincludes the cybersecurity issue.

In certain embodiments, a mitigation action is initiated in response todetecting the failed action on a cloud entity which has a cybersecurityissue. In an embodiment, the mitigation action is initiated in responseto detecting that the cybersecurity issue node is connected to the cloudentity node. This indicates that the cloud entity has a cybersecurityissue, and based on the event detected in the cloud log, thecybersecurity issue has been exploited.

It is recognized in this regard that a human can search through digitalrecords to detect an event corresponding to a failed action, and in factthis is how certain forensic approaches are carried out. However, suchsolutions are often carried out as a response to a previously recognizedor suspected cybersecurity breach. This is due to the fact that cloudlogs include a tremendous amount of records, sometimes terabytes, orevent petabytes in size. For a human operator, to constantly review sucha log is impossible, and even if it were possible, is impractical due tothe time constraints when performing cybersecurity mitigation.

By the time a human has sifted through petabytes of data, any damagecaused by a breach will have already been done. Additionally, failedactions are not always isolated to a single record, action, and thelike, in a cloud computing environment. Often a failed action isindicated as a cybersecurity breach in context of a plurality ofactions, for example when a plurality of actions are initiated intemporal proximity to each other. Where hundreds and thousands ofrecords are generated each second, it is not practical or possible for ahuman to consistently apply objective criteria to determine whatconstitutes a failed action which indicates a cybersecurity exploitationbased on a plurality of actions in a cloud environment.

FIG. 1 shows an example network diagram 100 utilized to describe thevarious disclosed embodiments. In the example network diagram 100, twocloud environments are shown for simplicity, though it should be readilyapparent that different configurations may be utilized without departingfrom the scope of this disclosure.

A production environment 110 is implemented in a first cloud computingenvironment. The first cloud computing environment is deployed on acloud computing infrastructure in an embodiment, for example, Amazon®Web Services (AWS), Google® Cloud Platform (GCP), Microsoft® Azure, andthe like.

The production environment 110 is implemented as a virtual private cloud(VPC), Virtual Network (VNet), and the like, according to an embodiment.A production environment 110 is a cloud computing environment which isutilized as a computing environment from which an organization operates,provides services, and the like. An organization may utilize multiplesuch cloud computing environments (e.g., an AWS environment, an Azureenvironment, etc.). In certain embodiments a production environment 110has a corresponding a staging environment, which in an embodiment issubstantially identical to the production environment 110, but is usedfor testing purposes in order to test services, workloads, policies, andthe like, before implementing them in a production environment.

The production environment 110 includes a plurality of cloud entities.In an embodiment, a cloud entity is a resource, a principal, and thelike. A resource is a cloud entity which is configured to perform anaction in the cloud computing environment, provide access to a service,provide access to a hardware resource, a combination thereof, and thelike. For example, in an embodiment, a resource is a workload, such as aserverless function 112, a virtual machine 114, and a container cluster116. The production environment 110 includes a plurality of each of adifferent resource type, in some embodiments.

In an embodiment a serverless function 112 is, for example, Amazon®Lambda. A virtual machine 114 is, for example, Oracle® VirtualBox,according to an embodiment. In some embodiments a container cluster 116is implemented utilizing a Kubernetes® Engine, a Docker® Engine, and thelike.

In an embodiment the production environment 110 further includesprincipals (not shown). A principal is a cloud entity which isauthorized to perform actions on a resource, initiate an action in acloud computing environment, a combination thereof, and the like. Insome embodiments a resource is also a principal, for example whenoperating on another resource.

In an embodiment a principal is, for example, a user account, a serviceaccount, a role, and the like. In certain embodiments a workload in theproduction environment 110 generates activity which is logged in anetwork log 118. In an embodiment the network log 118 is implemented asa file that contains events (also known as records), which correspond toactions by one or more applications. Events may be, for example, usercalls to objects, process calls to objects, authentication attempts, andthe like. An example network log is discussed in more detail in FIG. 2below.

In an embodiment, a network log 118 is a type of cloud log. In someembodiments the network log 118 is generated by a service executed by,for example the serverless function 112. In an embodiment the service isconfigured to monitor a workload in the production environment 110 andwrite events to the network log 118. In some embodiments the service isconfigured to write events to the network log 118 based on a predefineddata schema.

In an embodiment, the production environment 110 is communicativelycoupled with a public network 120, such as the Internet, and a securityenvironment 130. In an embodiment the security environment 130 isimplemented as a VPC deployed on a cloud computing infrastructure, suchas AWS. In an embodiment, the production environment 110 and thesecurity environment 130 are implemented using the same cloud computinginfrastructure, different cloud computing infrastructures, combinationsthereof, and the like.

In certain embodiments the security environment 130 includes a forensicanalyzer 132, and a security graph 134. The security graph 134 isdiscussed in more detail with respect to FIG. 3 below, which is anexample of a portion of a security graph. In an embodiment, the securitygraph 134 is implemented on a graph database, such as Neo4j®. In certainembodiments, the security graph 134 includes a representation of aproduction environment 110. For example, principals, resources, and thelike, are represented as nodes on the security graph 134. In someembodiments, the security graph 134 further includes enrichment nodes,such as a node indicating a vulnerability, a node indicating access to apublic network, and the like.

In an embodiment, the security environment 130 further includes aplurality of inspectors (not shown). In some embodiments, each inspectoris configured to detect a cybersecurity object. For example, acybersecurity object is, in an embodiment, a secret, a weak password, acertificate, a vulnerability, a misconfiguration, an exposure, amalware, a hash file, and the like. In some embodiments the forensicanalyzer 132 is implemented as a workload, such as a node in a containercluster.

In an embodiment the forensic analyzer 132 is configured to access cloudlogs, network logs, and the like logs generated in a cloud computingenvironment. Examples of logs are discussed in more detail below. Insome embodiments the forensic analyzer 132 is further configured toaccess the security graph 134. In an embodiment, providing access to aforensic analyzer 132 includes providing access to a service accountassociated with the forensic analyzer 132. A service account associatedwith a workload, such as the forensic analyzer 132 allows the forensicanalyzer to assume a role in a cloud computing environment. In anembodiment, permission to access a log, and the like, in a cloudcomputing environment, is provided to a service account which isassociated with the forensic analyzer 132.

In an embodiment the forensic analyzer 132 is configured to generate aforensic report. In some embodiments, the forensic report is based on acloud log, a network log, the security graph, a combination thereof, andthe like. In some embodiments the forensic report includes, for example,portions extracted from a cloud log, a network cloud, and the like,wherein the extracted portions each correspond to a node of the securitygraph 134. An example of a method for generating a forensic report isdescribed in more detail below with respect to FIG. 4 .

FIG. 2 is an example of a network log 200 of a cloud based computingenvironment, utilized to describe an embodiment. A network log 200 is atype of cloud log that includes, in an embodiment, a plurality ofevents, each event recorded as a row in the log. In an embodiment anevent includes a plurality of data fields and their values. In certainembodiments a data field is, for example, an account identifier, aninterface identifier, a source address, a destination address (fornetwork messages), a port, a protocol, a number of bytes transferred, anumber of packets transferred, an action (e.g., accept, reject, etc.),and the like.

FIG. 3 is an example of a role log 300 of a cloud-based computingenvironment, in accordance with an embodiment. The role log 300 includesevents which are associated with user accounts. For example, a firstrecord 310 includes an event by which a new user account was created.The first record 310 includes a plurality of data fields which areunique to the event. For example, the event has an event name 320, whichindicates that the event is related to creating a user account, at anevent time 322. Other identifiers, such as the username 324 of thecreated user account are also recorded.

FIG. 4 is another example of a role log 400 of a cloud-based computingenvironment, in accordance with an embodiment. The role log 400 includesa second record 410, which indicates that a user Alice (of FIG. 3 above)which previously (based on the event time 412) created a user accountBob, added the user account Bob to an Admin group. The event name 420indicates that the user account 422 was added to an admin group. Addingadministrator accounts is not common, and if it is performed through amachine that may include a vulnerability, as explained herein, this maybe an indication that the new administrator-level account is in fact anexploitation.

FIG. 5 is an example of a security graph 500, implemented in accordancewith an embodiment. A security graph 500 may represent a cloud computingenvironment, such as the production environment 110 of FIG. 1 above, ina graph database, according to a predefined data schema. A cloudcomputing environment may be represented in a graph by mappingresources, principals, enrichments, and the like, to nodes in thesecurity graph 500. A resource node may represent a resource, such as aworkload. A principal node may represent a user account, serviceaccount, role, and the like. An enrichment node may represent anendpoint, such as a public network (e.g., the Internet), avulnerability, and other attributes of a workload, for example.

An enrichment node 510 represents internet access, such that any nodewhich is connected (e.g. by an edge) to the enrichment node 510, isconfigured to access the internet. A resource node 520 represents agateway workload, which may be implemented for example as a node in acontainer cluster. A second resource node 530 represents a load balancerworkload, which is connected by an edge to the resource node 520representing the gateway, and a network interface node 540. The networkinterface node 540 is connected to a resource node 550 which representsa virtual machine, such as virtual machine 114 of FIG. 1 . The virtualmachine 114 may include, for example, an operating system represented byOS node 542, an application which is executed on the OS of the virtualmachine, represented by application node 544, a user account node 546which represents a user account which is tied to the virtual machine114, and a vulnerability node 548, which represents a vulnerabilitywhich was detected as being present on, or pertaining to, the virtualmachine 114. A vulnerability may be, for example, an outdated software,a specific open port, a user account with high permissions, and anycombination thereof.

FIG. 6 is an example flowchart 600 of a method for generating a forensicanalysis report based on a security graph, implemented in accordancewith an embodiment.

At S610, a cloud entity selection is received. A cloud entity may be,for example, a workload type (e.g. VM, container, serverless function,etc.), an application type (e.g. software application, appliance, OS,gateway, load balancer, etc.), a principal (e.g. user account, serviceaccount, etc.), enrichment, vulnerability, and the like. In anembodiment, a cloud entity selection may be received through a userinterface. For example, a user may select one or more cloud entitiesfrom a predetermined list, and may further select a relationship betweenthe cloud entities. For example, a user may indicate a selection of avirtual machine (workload type) that runs (relationship) a firstapplication (application type) and has (relationship) a user account(principal) with (relationship) certain privileges and is connected tothe internet(enrichment).

At S620, a threat is determined for the cloud entity based on thesecurity graph. A threat may be, for example, a vulnerability,misconfiguration, exploitation, and the like. A misconfiguration may be,for example, a database which is not password protected, and should bepassword protected. For example, a forensic analyzer may receive thecloud entity selection, and query a security graph to detect nodes whichmatch the selected cloud entity. A vulnerability on a workload, forexample, is not necessarily exploited, or even exploitable. For example,a workload may have a vulnerability which allows broad access, howeverif the workload is determined not to be accessible to an externalnetwork, then the vulnerability is not exploitable. It is thereforebeneficial to reference cloud logs to further detect if a vulnerabilitywas exploited.

At S630, a cloud log is inspected to detect events based on the selectedcloud entity and the determined vulnerability. A cloud log may be, forexample, a network log, and a role log. In some embodiments, a pluralityof cloud logs are inspected. In an embodiment, a forensic analyzerworkload is configured to inspect a cloud log, based on data from asecurity graph. For example, the forensic analyzer 132 of FIG. 1 isconfigured to query a security graph based on a received cloud entityselection, and is further configured to receive a node identifier, nodeattributes, identifiers of enrichment nodes connected to the cloudentity, and the like. Node attributes may be data field values, such asunique identifier, IP address, workload type, user account name,authentication status, and the like. The forensic analyzer may extractfrom an output received from the security graph values of the datafields, and perform a search on a cloud log for the extracted values. Anevent is detected when a match is generated between a data field valueof the event, and a value extracted from an output of the security graphquery.

At S640, a forensic analysis output is generated. The forensic analysisoutput includes at least a portion of the cloud log, having the detectedevents. By generating the forensic analysis output, a user cansignificantly reduce the amount of information they need to sift throughin order to determine if a vulnerability resulted in an exploitation ofthe same. A cloud log may contain, even for a small window of time, amassive amount of information which is time consuming for a human tosift through, in order to find an indication that a vulnerability wasexploited. By determining what are relevant events based on the securitygraph, and only providing the relevant events to the user, the amount ofinformation which the user sifts through is reduced, and therefore it isbeneficial.

FIG. 7 is an example schematic diagram of a forensic analyzer 700according to an embodiment. The forensic analyzer 700 includes aprocessing circuitry 710 coupled to a memory 720, a storage 730, and anetwork interface 740. In an embodiment, the components of the forensicanalyzer 700 may be communicatively connected via a bus 750.

The processing circuitry 710 may be realized as one or more hardwarelogic components and circuits. For example, and without limitation,illustrative types of hardware logic components that can be used includefield programmable gate arrays (FPGAs), application-specific integratedcircuits (ASICs), Application-specific standard products (ASSPs),system-on-a-chip systems (SOCs), graphics processing units (GPUs),tensor processing units (TPUs), general-purpose microprocessors,microcontrollers, digital signal processors (DSPs), and the like, or anyother hardware logic components that can perform calculations or othermanipulations of information.

The memory 720 may be volatile (e.g., random access memory, etc.),non-volatile (e.g., read only memory, flash memory, etc.), or acombination thereof.

In one configuration, software for implementing one or more embodimentsdisclosed herein may be stored in the storage 730. In anotherconfiguration, the memory 720 is configured to store such software.Software shall be construed broadly to mean any type of instructions,whether referred to as software, firmware, middleware, microcode,hardware description language, or otherwise. Instructions may includecode (e.g., in source code format, binary code format, executable codeformat, or any other suitable format of code). The instructions, whenexecuted by the processing circuitry 710510, cause the processingcircuitry 710 to perform the various processes described herein.

The storage 730 may be magnetic storage, optical storage, and the like,and may be realized, for example, as flash memory or other memorytechnology, or any other medium which can be used to store the desiredinformation.

The network interface 740 allows the forensic analyzer 700 tocommunicate with, for example, a security graph, a cloud environment,and the like.

It should be understood that the embodiments described herein are notlimited to the specific architecture illustrated in FIG. 7 , and otherarchitectures may be equally used without departing from the scope ofthe disclosed embodiments.

Furthermore, in certain embodiments the [other system] may beimplemented with the architecture illustrated in FIG. 7 . In otherembodiments, other architectures may be equally used without departingfrom the scope of the disclosed embodiments.

FIG. 8 is an example flowchart 800 of a method for detecting anexploited vulnerable cloud entity, implemented in accordance with anembodiment. Cybersecurity defense benefits from detecting exploitablecloud entities, such as workloads (e.g., workloads that can be exploitedthrough an exposure, misconfiguration, vulnerability and the like) andexploited cloud entities (e.g., workloads which have already beenexploited). Detection of exploited workloads is desirable to occur assoon as possible, as the longer a workload is exploited the moreopportunity a hacker has, for example, to do harm, subvert systemresources, cause financial damage, steal data, and the like.

This flowchart discusses workloads as an example of a cloud entity whichcan be potentially exploited and detection of such workloads which areactually exploited. It is readily apparent that these teachings apply toother cloud entities, such as principals and resources. A principal is,for example, a user account, a service account, a role, and the like,according to an embodiment. A resource is, in an embodiment, a workload(e.g., such as explained above), a managed resource, a bucket, adatabase, and the like.

At S810, a plurality of events are detected in a cloud log. In anembodiment, the cloud log is a log generated in a cloud computingenvironment. In certain embodiments, the cloud log includes a pluralityof records, each record corresponding to an event. A record is a datastructure, which in an embodiment is a predetermined data structurewhich describes an event. For example, an event is, according to anembodiment, an action initiated in the cloud computing environment, acommunication between a first workload and a second workload in thecloud computing environment, a communication between a first workloadand an external component (e.g., through a public network such as theInternet), and the like.

In some embodiments, the plurality of events correspond each to datarecord that have a common attribute. For example, the common attributeis, in an embodiment, an action type (e.g., assumeRole), a workloadidentifier, a principal identifier, a workload type (e.g., virtualmachine, container node, serverless function, etc.), a principal type(e.g., user account, service account, role, etc.), a network originaddress, a network destination address, combinations thereof, and thelike.

In certain embodiments, an event corresponds to a failed action. Afailed action is, for example, a failed access to a workload, a failedaccess to a file, a failed access to a folder, a failed access to adirectory, a failed change in user account permissions, and the like.For example, a failed change in user account permissions is tagged as afailed “assumeRole” event, where a user account attempts to assume arole (i.e., a set of permissions) and does not succeed.

In some embodiments, a failed action is an indication of a cybersecurityvulnerability which is being exploited, an attempt is being made toexploit the cybersecurity vulnerability, and the like. For example,where a hacker achieves control of a workload, user account, and thelike, a typical attempt will be to increase permissions of the useraccount (also known as permission escalation). To do this the hackerattempts to initiate actions sequentially to see what works (i.e., whatwill result in success). By providing early detection of this attack,early mitigation can be performed, thereby reducing the damage of theattack. In an embodiment, the failed action is failed based oninsufficient permission to initiate the action.

In certain embodiments, a plurality of events are detected, where afirst event corresponds to a failed action, and a second eventcorresponds to a successful action. For example, according to anembodiment the failed action is an assumeRole of a first role having afirst set of permissions, and the successful action is an assumeRole ofa second role having a second set of permissions. In some embodiments, atime threshold is utilized to determine if an amount of time elapsedbetween the failed action and the successful action is within athreshold. In some embodiments, the failed action is of a first type,and the successful action is of a second type.

In some embodiments, a failed action, a successful action, a combinationthereof, and the like, correspond to a predetermined action. Forexample, in an embodiment a failed assumeRole followed by a successfulassumeRole is suspicious. As another example, a failed access to a disk,followed by a failed assumeRole, followed by a successful assumeRolewhich all originate from a single user account is likewise suspiciousactivity. A disk access, an assumed role, and the like, are examples ofa predetermined action, according to an embodiment. In an embodiment, afailed action is an action in a series of events, each eventcorresponding to a failed action, a successful action, and the like. Aseries of events includes an event order, i.e., an order by which eventsoccurred, for example based on a timestamp of a record, according to anembodiment.

In certain embodiments, a failed action, a successful action, and thelike are any one of: deletion of a record, changing a permission of aprincipal account, changing a configuration of a resource, encrypting adatabase, deploying multiple workloads, deactivating multiple workloads,generating a secret, generating a certificate, generating a key,deleting a secret, deleting a certificate, deleting a key, exposing aresource to a public network, exfiltrating data, planting a maliciousentity, initiating a privilege escalation, encrypting a record, assuminga role, a combination thereof, and the like.

At S820, an identifier of a workload is extracted from an eventcorresponding to a failed action. In an embodiment, extracting theidentifier includes reading a cloud log, extracting an event record,parsing the event record, and detecting a predetermined recordattribute. For example, in an embodiment the identifier of a workload isdetected by parsing the event record and searching for a term“resourceID”.

In some embodiments access to the cloud log is provided prior to readingthe cloud log. In certain embodiments, access to the cloud log isgranted to a service account associated with an inspection environment.

At S830, a node is detected in a security graph corresponding to theworkload. In an embodiment, the security graph includes a representationof the cloud computing environment in which the workload is deployed.Such a representation and an embodiment thereof is discussed in moredetail herein. The node is also referred to as a workload node.

In certain embodiments, detecting a node in the security graph includesgenerating a query which includes the workload identifier, and executingthe query on a database management system of the graph database hostingthe security graph. A graph database is, in an embodiment, Neo4j®.

At S840, a cybersecurity issue node is detected. In an embodiment, thecybersecurity issue node represents a cybersecurity issue, such as amisconfiguration, an exposure, a threat, a vulnerability, a weakpassword, an exposed password, an out of date software version, and thelike. In certain embodiment, the cybersecurity issue node is connectedto the workload node to indicate that the workload includes thecybersecurity issue, is susceptible to the cybersecurity issue, and thelike.

By storing a representation in the security graph of a cybersecurityissue and connecting workload nodes representing workloads having thecybersecurity issue to the cybersecurity issue node, a more compactrepresentation is achieved, as rather than store duplicate informationfor each workload node with respect to the cybersecurity issue, data ofthe cybersecurity issue is stored only in the cybersecurity issue node,thereby reducing the amount of storage required to store therepresentation on the graph database.

At S850, a mitigation action is initiated. In an embodiment, themitigation action is initiated in response to detecting that thecybersecurity issue node is connected to the workload node. Thisindicates that the workload has a cybersecurity issue, and based on theevent detected in the cloud log, the cybersecurity issue has beenexploited. In some embodiments, where a failed action is followed by asuccessful action, the mitigation action includes initiating amitigation action based on the successful action. For example, accordingto an embodiment where the successful action is access to a disk by auser account, the mitigating action includes removing access granted tothe user account to access the disk.

In some embodiments, the mitigation action includes generating anotification to indicate that the workload is compromised (i.e., thecybersecurity issue is exploited). In certain embodiments, themitigation action includes updating a severity of an alert to indicatethat a workload which is potentially exploitable, has now been verifiedas exploited. This is advantageous as an alert is generated, in anembodiment, for a workload having a cybersecurity issue, and in certainembodiments the alert further includes a severity alert. However, it isclear that a potential threat is less urgent than a threat which iscurrently, or has recently been, carried out. It is thereforeadvantageous to update the severity of an alert (e.g., from medium tocritical).

In certain embodiments, the mitigation action is initiated based on aprincipal, the workload, the cybersecurity issue, a combination thereof,and the like. For example, a mitigation action based on a principalincludes, in an embodiment, removing an access, a permission, a role, acombination thereof, and the like, associated with a principal.

In an embodiment, the mitigation action includes any one of: revoking apermission associated with the cloud entity, changing a configuration ofa resource, reducing a network exposure of the cloud entity, isolatingthe cloud entity, blocking network traffic to the cloud entity, blockingnetwork traffic from the cloud entity, a combination thereof, and thelike.

The various embodiments disclosed herein can be implemented as hardware,firmware, software, or any combination thereof. Moreover, the softwareis preferably implemented as an application program tangibly embodied ona program storage unit or computer readable medium consisting of parts,or of certain devices and/or a combination of devices. The applicationprogram may be uploaded to, and executed by, a machine comprising anysuitable architecture. Preferably, the machine is implemented on acomputer platform having hardware such as one or more central processingunits (“CPUs”), a memory, and input/output interfaces. The computerplatform may also include an operating system and microinstruction code.The various processes and functions described herein may be either partof the microinstruction code or part of the application program, or anycombination thereof, which may be executed by a CPU, whether or not sucha computer or processor is explicitly shown. In addition, various otherperipheral units may be connected to the computer platform such as anadditional data storage unit and a printing unit. Furthermore, anon-transitory computer readable medium is any computer readable mediumexcept for a transitory propagating signal.

All examples and conditional language recited herein are intended forpedagogical purposes to aid the reader in understanding the principlesof the disclosed embodiment and the concepts contributed by the inventorto furthering the art, and are to be construed as being withoutlimitation to such specifically recited examples and conditions.Moreover, all statements herein reciting principles, aspects, andembodiments of the disclosed embodiments, as well as specific examplesthereof, are intended to encompass both structural and functionalequivalents thereof. Additionally, it is intended that such equivalentsinclude both currently known equivalents as well as equivalentsdeveloped in the future, i.e., any elements developed that perform thesame function, regardless of structure.

It should be understood that any reference to an element herein using adesignation such as “first,” “second,” and so forth does not generallylimit the quantity or order of those elements. Rather, thesedesignations are generally used herein as a convenient method ofdistinguishing between two or more elements or instances of an element.Thus, a reference to first and second elements does not mean that onlytwo elements may be employed there or that the first element mustprecede the second element in some manner. Also, unless statedotherwise, a set of elements comprises one or more elements.

As used herein, the phrase “at least one of” followed by a listing ofitems means that any of the listed items can be utilized individually,or any combination of two or more of the listed items can be utilized.For example, if a system is described as including “at least one of A,B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C;3A; A and B in combination; B and C in combination; A and C incombination; A, B, and C in combination; 2A and C in combination; A, 3B,and 2C in combination; and the like.

What is claimed is:
 1. A method for detecting an exploited vulnerablecloud entity, comprising: detecting in at least one cloud log of a cloudcomputing environment a plurality of events, each event corresponding toa failed action, each event further corresponding to a cloud entitydeployed in the cloud computing environment; extracting from the cloudlog an identifier of the cloud entity; traversing a security graph todetect a node representing the cloud entity, based on the extractedidentifier, wherein the security graph includes a representation of thecloud computing environment; detecting a node representing acybersecurity vulnerability connected to the node representing the cloudentity; and initiating a mitigation action for the workload based on thecybersecurity vulnerability.
 2. The method of claim 1, furthercomprising: detecting a principal identifier in an event correspondingto a failed action; and detecting an event corresponding to a successfulaction associated with the principal identifier.
 3. The method of claim2, further comprising: determining that the successful action is anaction which corresponds to a predetermined action; and initiating amitigation action based on the successful action.
 4. The method of claim3, wherein initiating the mitigation action includes any one of:revoking a permission associated with the cloud entity, changing aconfiguration of a resource, reducing a network exposure of the cloudentity, isolating the cloud entity, blocking network traffic to thecloud entity, blocking network traffic from the cloud entity, and acombination thereof.
 5. The method of claim 2, wherein the principalidentifier corresponds to any one of: a user account, a service account,and a role.
 6. The method of claim 2, further comprising: detecting aseries of events and principal identifier, each event in the series ofevents corresponding to a unique failed action.
 7. The method of claim1, wherein the failed action is failed based on insufficient permissionto initiate the action.
 8. The method of claim 1, wherein thecybersecurity vulnerability is any one of: a weak password, an exposedpassword, a misconfiguration, an exposure, and a combination thereof. 9.The method of claim 1, further comprising: generating a notification toindicate that the workload is compromised, as part of the mitigationaction.
 10. The method of claim 1, further comprising: updating aseverity of an alert associated with the cybersecurity vulnerability aspart of the mitigation action.
 11. The method of claim 1, furthercomprising: detecting a node representing a principal connected to thenode representing the workload; and initiating a mitigation action basedon the principal.
 12. The method of claim 1, wherein the failed actioncorresponds to any one of: deletion of a record, changing a permissionof a principal account, changing a configuration of a resource,encrypting a database, deploying multiple workloads, deactivatingmultiple workloads, generating a secret, generating a certificate,generating a key, deleting a secret, deleting a certificate, deleting akey, exposing a resource to a public network, exfiltrating data,planting a malicious entity, initiating a privilege escalation,encrypting a record, assuming a role, and a combination thereof.
 13. Anon-transitory computer readable medium having stored thereoninstructions for causing a processing circuitry to execute a process,the process comprising: detecting in at least one cloud log of a cloudcomputing environment a plurality of events, each event corresponding toa failed action, each event further corresponding to a cloud entitydeployed in the cloud computing environment; extracting from the cloudlog an identifier of the cloud entity; traversing a security graph todetect a node representing the cloud entity, based on the extractedidentifier, wherein the security graph includes a representation of thecloud computing environment; detecting a node representing acybersecurity vulnerability connected to the node representing the cloudentity; and initiating a mitigation action for the workload based on thecybersecurity vulnerability.
 14. A system for detecting an exploitedvulnerable cloud entity, comprising: a processing circuitry; and amemory, the memory containing instructions that, when executed by theprocessing circuitry, configure the system to: detect in at least onecloud log of a cloud computing environment a plurality of events, eachevent corresponding to a failed action, each event further correspondingto a cloud entity deployed in the cloud computing environment; extractfrom the cloud log an identifier of the cloud entity; traverse asecurity graph to detect a node representing the cloud entity, based onthe extracted identifier, wherein the security graph includes arepresentation of the cloud computing environment; detect a noderepresenting a cybersecurity vulnerability connected to the noderepresenting the cloud entity; and initiate a mitigation action for theworkload based on the cybersecurity vulnerability.
 15. The system ofclaim 14, wherein the memory contains further instructions which whenexecuted by the processing circuitry further configure the system to:detect a principal identifier in an event corresponding to a failedaction; and detect an event corresponding to a successful actionassociated with the principal identifier.
 16. The system of claim 15,wherein the memory contains further instructions which when executed bythe processing circuitry further configure the system to: determine thatthe successful action is an action which corresponds to a predeterminedaction; and initiate a mitigation action based on the successful action.17. The system of claim 16, wherein the memory contains furtherinstructions which when executed by the processing circuitry furtherconfigure the system to: initiate the mitigation action including anyone of: revoking a permission associated with the cloud entity, changinga configuration of a resource, reducing a network exposure of the cloudentity, isolating the cloud entity, blocking network traffic to thecloud entity, blocking network traffic from the cloud entity, and acombination thereof.
 18. The system of claim 15, wherein the principalidentifier corresponds to any one of: a user account, a service account,and a role.
 19. The system of claim 15, wherein the memory containsfurther instructions which when executed by the processing circuitryfurther configure the system to: detect a series of events and principalidentifier, each event in the series of events corresponding to a uniquefailed action.
 20. The system of claim 14, wherein the failed action isfailed based on insufficient permission to initiate the action.
 21. Thesystem of claim 14, wherein the cybersecurity vulnerability is any oneof: a weak password, an exposed password, a misconfiguration, anexposure, and a combination thereof.
 22. The system of claim 14, whereinthe memory contains further instructions which when executed by theprocessing circuitry further configure the system to: generate anotification to indicate that the workload is compromised, as part ofthe mitigation action.
 23. The system of claim 14, wherein the memorycontains further instructions which when executed by the processingcircuitry further configure the system to: update a severity of an alertassociated with the cybersecurity vulnerability as part of themitigation action.
 24. The system of claim 14, wherein the memorycontains further instructions which when executed by the processingcircuitry further configure the system to: detect a node representing aprincipal connected to the node representing the workload; and initiatea mitigation action based on the principal.
 25. The system of claim 14,wherein the failed action corresponds to any one of: deletion of arecord, changing a permission of a principal account, changing aconfiguration of a resource, encrypting a database, deploying multipleworkloads, deactivating multiple workloads, generating a secret,generating a certificate, generating a key, deleting a secret, deletinga certificate, deleting a key, exposing a resource to a public network,exfiltrating data, planting a malicious entity, initiating a privilegeescalation, encrypting a record, assuming a role, and a combinationthereof.